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Abstract. We consider the distributed control problem in the setting 
of Zielonka asynchronous automata. Such automata are compositions of 
finite processes communicating via shared actions and evolving asyn- 
chronously. Most importantly, processes participating in a shared action 
can exchange complete information about their causal past. This gives 
more power to controllers, and avoids simple pathological undecidable 
cases as in the setting of Pnueli and Rosner. We show the decidability of 
the control problem for Zielonka automata over acyclic communication 
architectures. We provide also a matching lower bound, which is /-fold 
exponential, I being the height of the architecture tree. 

1 Introduction 

Synthesis is by now well understood in the case of sequential systems. It is useful 
for constructing small, yet safe, critical modules. Initially, the synthesis problem 
was stated by Church, who asked for an algorithm to construct devices trans- 
forming sequences of input bits into sequences of output bits in a way required 
by a specification P]. Later Ramadge and Wonham proposed the supervisory 
control formulation, where a plant and a specification are given, and a controller 
should be designed such that its product with the plant satisfies the specifica- 
tion [19]. So control means restricting the behavior of the plant. Synthesis is the 
particular case of control where the plant allows for every possible behavior. 

For synthesis of distributed systems, a common belief is that the problem 
is in general undecidable, referring to work by Pnueli and Rosner [15]. They 
extended Church's formulation to an architecture of synchronously communicat- 
ing processes, that exchange messages through one slot communication channels. 
Undecidability in this setting comes mainly from partial information: specifica- 
tions permit to control the flow of information about the global state of the 
system. The only decidable type of architectures is that of pipelines. 

The setting we consider here is based on a by now well-established model 
of distributed computation using shared actions: Zielonka's asynchronous au- 
tomata [22]. Such a device is an asynchronous product of finite-state processes 
synchronizing on common actions. Asynchronicity means that processes can 
progress at different speed. Similarly to |6I13) we consider the control problem 
for such automata. Given a Zielonka automaton (plant), find another Zielonka 
automaton (controller) such that the product of the two satisfies a given spec- 
ification. In particular, the controller does not restrict the parallelism of the 



system. Moreover, during synchronization the individual processes of the con- 
troller can exchange all their information about the global state of the system. 
This gives more power to the controller than in the Pnueli and Rosner model, 
thus avoiding simple pathological scenarios leading to undecidability. It is still 
open whether the control problem for Zielonka automata is decidable. 

In this paper we prove decidability of the control problem for reachability 
objectives on tree architectures. In such architectures every process can com- 
municate with its parent, its children, and with the environment. If a controller 
exists, our algorithm yields a controller that is a finite state Zielonka automa- 
ton exchanging information of bounded size. We also provide the first non-trivial 
lower bound for asynchronous distributed control. It matches the Z-fold expo- 
nential complexity of our algorithm {I being the height of the architecture). 

As an example, our decidability result covers client-server architectures where 
a server communicates with clients, and server and clients have their own interac- 
tions with the environment (cf. Figure [T]). Our algorithm providing a controller 
for this architecture runs in exponential time. Moreover, each controller adds 
polynomially many bits to the state space of the process. Note also that this 
architecture is undecidable for [TH] (each process has inputs), and is not covered 
by [6] (the action alphabet is not a co-graph), nor by [13J (there is no bound on 
the number of actions performed concurrently). 

Related work. The setting proposed by Pnueli and Rosner [TSl has been thor- 
oughly investigated in past years. By now we understand that, suitably using 
the interplay between specifications and an architecture, one can get undecid- 
ability results for most architectures rather easily. While specifications leading 
to undecidability are very artificial, no elegant solution to eliminate them exists 
at present. 

The paper gives an automata-theoretic approach to solving pipeline ar- 
chitectures and at the same time extends the decidability results to CTL* spec- 
ifications and variations of the pipeline architecture, like one-way ring architec- 
tures. The synthesis setting is investigated in [12] for local specifications, meaning 
that each process has its own, linear-time specification. For such specifications, 
it is shown that an architecture has a decidable synthesis problem if and only if 
it is a sub-architecture of a pipeline with inputs at both endpoints. The paper [S] 
proposes information forks as an uniform notion explaining the (un) decidability 
results in distributed synthesis. In [16] the authors consider distributed synthesis 
for knowledge-based specifications. The paper [7] studies an interesting case of 
external specifications and well-connected architectures. 




Fig. 1. Server/client architecture 
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Synthesis for asynchronous systems has been strongly advocated by Pnueh 
and Rosner in |17| . Their notion of asynchronicity is not exactly the same as ours: 
it means roughly that system/environment interaction is not turn-based, and 
processes observe the system only when scheduled. This notion of asynchronicity 
appears in several subsequent works, such as |20l9j for distributed synthesis. 

As mentioned above, we do not know whether the control problem in our 
setting is decidable in general. Two related decidability results are known, both 
of different flavor that ours. The first one [6] restricts the alphabet of actions: 
control with reachability condition is decidable for co-graph alphabets. This re- 
striction excludes among others client-server architectures. The second result [13] 
shows decidability by restricting the plant: roughly speaking, the restriction says 
that every process can have only bounded missing knowledge about the other 
processes (unless they diverge). The proof of [13j goes beyond the controller 
synthesis problem, by coding it into monadic second-order theory of event struc- 
tures and showing that this theory is decidable when the criterion on the plant 
holds. Unfortunately, very simple plants have a decidable control problem but 
undecidable MSO-theory of the associated event structure. Mellies [T3] relates 
game semantics and asynchronous games, played on event structures. More re- 
cent work ^3 considers finite games on event structures and shows a determinacy 
result for such games under some restrictions. 

Organization of the paper. The next section presents basic definitions. The two 
consecutive sections present the algorithm and the matching lower bound. 

2 Basic definitions and observations 

Our control problem can be formulated in the same way as the Ramadge and 
Wonham control problem but using Zielonka automata instead of standard finite 
automata. We start by presenting Zielonka automata and an associated notion 
of concurrency. Then we briefly recall the Ramadge and Wonham formulation 
and our variant of it. Finally, we give a more convenient game-based formulation 
of the problem. 

2.1 Zielonka automata 

Zielonka automata are simple parallel devices. Such an automaton is a parallel 
composition of several finite automata, denoted as processes, synchronizing on 
common actions. There is no global clock, so between two synchronizations, two 
processes can do a different number of actions. Because of this Zielonka automata 
are also called asynchronous automata. 

A distributed action alphabet on a finite set P of processes is a pair dom), 
where S is a finite set of actions and dom : U — (2' \ 0) is a location function. 
The location dom{a) of action a € S comprises all processes that need to syn- 
chronize in order to perform this action. A (deterministic) Zielonka automaton 
= {{Sp}pGP, Sin, {Saja&s) is giveu by 
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for every process p a finite set Sp of (local) states, 
the initial state Si„ e riper "^P' 

for every action a G a partial transition function 5a : W 
T\pedom.(a) '-'^ tuples of states of processes in dom{a). 



.pedom(a) '^P 



For convenience, we abbreviate a tuple {sp)p(zp of local states by sp, where 
pep. We also talk about Sp as the set of p-states and of HpsP ^p global 
states. Actions from Sp = {a G | p G dom{a)} are denoted as p-actions. 

A Zielonka automaton can be seen as a sequential automaton with the 



sequential automaton that start from the initial state. 

This definition has an important consequence. The location mapping dom 
defines in a natural way an independence relation /: two actions a,b Cz S are 
independent (written as (a, b) G /) if they involve different processes, that is, 
if dom{a) n dom{b) — 0. Notice that the order of execution of two independent 
actions (a, 6) G / in a Zielonka automaton is irrelevant, they can be executed as 
a, &, or 6, a - or even concurrently. More generally, we can consider the congruence 
'^i on S* generated by /, and observe that whenever u ~/ v, the global state 
reached from the initial state on u and v, respectively, is the same. Hence, u G 
L{A) if and only if w G L{A). Notice also that if u ~/ vx and x € S* involves 
no p-action, then the p-state reached on u and w, respectively, is the same. 

The idea of describing concurrency by an independence relation on actions 
goes back to the late seventies, to Mazurkiewicz fT?' and Keller fTUl (see also 
[1]). An equivalence class [w]i of is called a Mazurkiewicz trace, it can be 
also viewed as labeled pomset of a special kind. Here, we will often refer to a 
trace using just a word w instead of writing [w]i. As we have observed L{A) is 
a sum of such equivalence classes. In other words it is trace-closed. 

Example 1. Consider the following, very simple, example with processes 1,2,3. 
Process 1 has local actions ao,ai and synchronization actions = 0,1) 

shared with process 2. Similarly, process 3 has local actions b^^bi and synchro- 
nization actions (i,j = 0,1) shared with process 2 (cf. Figure [2] where the 
symbol * denotes any value or 1). Each process is a finite automaton and the 
Zielonka automaton is the product of the three components synchronizing on 
common actions. We have for instance {ai,bj) G I and {cij,dk^i) ^ The final 
states are the rightmost states of each automaton. The automaton accepts traces 
of the form aibjCi^kdj^i with i = I ot j = k. 

Since the notion of a trace can be formulated without a reference to an 
accepting device, it is natural to ask if the model of Zielonka automata is pow- 
erful enough. Zielonka's theorem says that this is indeed the case, hence these 
automata are a right model for the simple view of concurrency captured by 
Mazurkiewicz traces. 

Theorem 1. Let dom : U {2^ \ {0}) be a distribution of letters. If 
a language L C S* is regular and trace-closed then there is a deterministic 
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Fig. 2. A Zielonka automaton 

Zielonka automaton accepting L (of size exponential in the number of processes 
and polynomial in the size of the minimal automaton for L, see JEj). 

One could try to use Zielonka's theorem directly to solve a distributed control 
problem. For example, one can start with the Ramadge and Wonham control 
problem, solve it, and if a solution happened to respect the required indepen- 
dence, then distribute it. Unfortunately, there is no reason for the solution to 
respect the independence. Even worse, the following, relatively simple, result 
says that it is algorithmically impossible to approximate a regular language by 
a language respecting a given independence relation. 

Theorem 2. i21^ It is not decidable if given a distributed alphabet and a regular 
language L (- S* , there is a trace-closed language K Q L such that every letter 
from E appears in some word of K . 

The condition on appearance of letters above is not crucial for the above 
undecidability result. Observe that we need some condition in order to make the 
problem nontrivial, since by definition the empty language is trace-closed. 

2.2 The control problem 

We can now formulate our control problem as a variant of the Ramadge and 
Wonham formulation. We will then provide an equivalent description of the 
problem in terms of games. While more complicated to state, this description is 
easier to work with. 

Recall that in Ramadge and Wonham's control problem [TH] we are given an 
alphabet S of actions partitioned into system and environment actions: U 
jjenv _ Given a plant P we are asked to find a controller C such that 
the product P x C satisfies a given specification. Here both the plant and the 
controller are finite deterministic automata over E. Additionally, the controller 
is required not to block environment actions, which in technical terms means 
that from every state of the controller there should be a transition on every 
action from E^™ . 

Our control problem can be formulated as follows: Given a distributed alpha- 
bet {E, dom) as above and a Zielonka automaton P, find a Zielonka automaton 
C over the same distributed alphabet such that P xC satisfies a given specifica- 
tion. Additionally the controller is required not to block uncontrollable actions: 
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from every state of C every uncontrollable action should be possible. The impor- 
tant point is that the controller should have the same distributed structure as 
the plant. The product of the two automata, that is just the standard product, 
means that plant and controller are totally synchronized, in particular commu- 
nications between processes happen at the same time. Hence concurrency in the 
controlled system is the same as in the plant. The major difference between the 
controlled system and the plant is that the states carry the additional informa- 
tion computed by the controller. 

Example 2. Reconsider the automaton in Figure[2]and assume that a^, bj G X"^"" 
are uncontrollable. So the controller needs to propose controllable actions Ci^k a-nd 
dj,i, resp., in such a way that all processes reach their final state. In particular, 
process 2 should not block. At first sight this may seem impossible to guarantee, 
as it looks like process 1 needs to know what bj process 3 has received, or process 
3 needs to know about the received by process 1. Nevertheless, a controller 
exists. It consists of Pi proposing {cu} at state i, process P3 proposing {dj i_j} 
at state j and process P2 proposing all actions, li i = j then P2 reaches the final 
state by the transition dk,*, else by the transition d^^i. 

It will be more convenient to work with a game formulation of this problem. 
Instead of talking about controller we will talk about distributed strategy in 
a game between system and environment. A plant defines a game arena, with 
plays corresponding to initial runs of A. Since A is deterministic, we can view a 
play as a word from L{A) - or a trace, since L{A) is trace-closed. Let Plays{A) 
denote the set of traces associated with words from L{A). 

A strategy for the system will be a collection of individual strategies for each 
process. The important notion here is the view each process has about the global 
state of the system. Intuitively this is the part of the current play that the process 
could see or learn about from other processes during a communication with them. 
Formally, the p-view of a play u, denoted vieWp{u), is the smallest trace [v\j such 
that u ~7 vy and y contains no action from Ep. We write PlaySp(A) for the set 
of plays that are p- views: 

Plays p{A) — {vieWp{u) \ u G Plays{A)} . 

A strategy for a process p is a function Cp : PlaySp{A) — > 2"^?" , where Sp^'' = 
{a S I p G dom{a)}. We require in addition, for every u e PlaySp{A), that 
ap{u) is a subset of the actions that are possible in the p-state reached on u. A 
strategy is a family of strategies {cTpjpgp, one for each process. 

The set of plays respecting a strategy a = {cplpgr, denoted Plays{A,<j), 
is the smallest set containing the empty play e, and such that for every u € 
Plays{A, (t): 

1. if a e Z"*^"" and ua S Plays (A) then ua is in Plays {A, a); 

2. if a € Z'"*'^ and ua € Plays{A) then ua £ Plays{A,(j) provided that a G 
ap{viewp{u)) for all p € dom{a). 
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Intuitively, the definition says that actions of the environment are always possi- 
ble, whereas actions of the system are possible only if they are allowed by the 
strategies of all involved processes. As in [T^] (and unlike [B]) our strategies are 
process-based. That is, a controllable action a with dom{a) = {p,q\ is allowed 
from (sp, Sq) if it is proposed by process p in state Sp and by process q in state 
Sq. Before defining winning strategies, we need to introduce infinite plays that 
are consistent with a given strategy a. Such plays can be seen as (infinite) traces 
associated with infinite, initial runs of A satisfying the two conditions of the 
definition of Plays{A,a). We write Plays°°{A,a) for the set of finite or infinite 
such plays. A play from Plays°° {A, cr) is also denoted as a-play. 

A play u G Plays°°{A,a) is called maximal^ if there is no action c such 
that uc € Plays°° {A, cr) . In particular, u is maximal if viewp{u) is infinite for 
every process p. Otherwise, if vieWp{u) is finite then p cannot have enabled 
local actions (cither controllable or uncontrollable). Moreover there should be 
no communication possible between any two processes with finite views in u. 

In this paper we consider local reachability winning conditions. For this, 
every process has a set of target states Fp C Sp. We assume that states in 
Fp are blocking, that is they have no outgoing transitions. This means that if 
(•Sdom(a), s'^o„(a)) ^ (5q then Sp i Fp for ah p e dom{a). 

Definition 1. The control problem for a plant A and a local reachability con- 
dition (-Fp)pGP is to determine if there is a strategy a = ((Tp)pgp such that every 
maximal trace u G Plays°° (A,cf) ends in YipeP -^p ('^''^'^ thus finite). Such 
traces and strategies are called winning. 

As already mentioned, we do not know if this control problem is decidable 
in general. In this paper we put one restriction on possible communications 
between processes. First, we impose two simplifying assumptions on the dis- 
tributed alphabet [S, dom). The first one is that all actions are at most binary: 
|rfom(a)| < 2, for every a £ S. The second requires that all uncontrollable ac- 
tions are local: \ dom{a)\ = 1, for every a £ jjenv ^ ^]^^ j^^^^ restriction says that 
we allow only binary synchronizations. It makes the technical reasoning much 
simpler. The second restriction refiects the fact that each process is modeled 
with its own, local environment. 

Definition 2. A distributed alphabet (S, dom) with unary and binary actions 
defines an undirected graph CQ with node set P and edges {p, q\ if there exists 
a € S with dom(a) = {p, q\, p ^ q. Such a graph is called communication graph. 

3 The upper bound for acyclic communication graphs 

We fix in this section a distributed alphabet (Z", dom). According to Definition[2] 
the alphabet determines a communication graph CQ. We assume that CQ is 
acyclic and has at least one edge. This allows us to choose a leaf r € P in CQ, 
with {q, r} an edge in CQ. Throughout this section, r denotes this fixed leaf 
process and q its parent process. Starting from a control problem with input 
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A, {Fp)p^p we define below a control problem over the smaller (acyclic) graph 
CG' = CGv\{r}- The construction will be an exponential-time reduction from the 
control problem over CG to a control problem over CG'- If we represent CG as a 
tree of depth I then applying this construction iteratively we will get an Mold 
exponential algorithm to solve the control problem for CG architecture. 

The main idea of the reduction is simple: process q simulates the behavior 
of process r. The reason why a simulation can work is that after each synchro- 
nization between q and r, the views of both processes are identical, and between 
two such synchronizations r evolves locally. But the construction is more delicate 
than this simple description suggests, and needs some preliminary considerations 
about winning strategies. 

We start with a lemma showing how to restrict the winning strategies. For 
p,p' G P let ^p,p' = {a & S \ dom{a) = {p,p'}}. So ^p,p' is the set of synchro- 
nization actions between p and p' . Moreover Sp^p is just the set of local actions 
of p. We write S^"" instead of Sp^p and S^"'"^ = Sp\ ^^p"- Recall that in the 
lemma below r is the fixed leaf process, and q its parent. 

Lemma 1. // there exists some winning strategy for A, then there is one, say 
a, such that for every u G Plays{A,a) the following hold: 

1. If an uncontrolable action is possible from a state Sr of process r then for 

every play u with stater{u) = Sr we have (Tr{vieWr{u)) = 0. 

2. For every process p and X = ap{viewp{u)), we have either X = {a} for 
some a e Sl"" or X C T^"™. 

3. Let X = (Tq{viewq{u)) with X C E^'^. Then either X C E^^r or X C 

\ Sg.r holds. 

Proof. The first item is immediate, since uncontrollable actions are alwyas 
possible. For the second item we modify u into a' as follows. If ap{u) contains 
some local action, then we choose one, say a, and put crp(u) = {a}. Wc do this 
for every process p and show that the resulting strategy a' is winning. Suppose 
that V e Plays{A, a') is maximal, but not winning. Clearly u is a <T-play, but 
not a maximal one, since a is winning. Thus, there is vc G Plays{A,(7) for some 
processes p ^ p' and some c G Sp^. By definition of a' it means that either 
ap{viewp{v)) or ap'{vieWp'{v)) contains some local action, say a G ap{viewp{v)) 
and a'p{viewp{v)) = {a}. But then va is a a'-play, a contradiction with the 
maximality of v. 

For the last item we can assume that ag and ar always propose either a local 

action or a set of communication actions. Now given a winning strategy a we 
will produce a winning strategy a' satisfying the condition of the lemma, by 
modifying only ar- 

Assume that u G PlaySg{A,a) with Sq = stateq{u), and cTqiu) = B U C, 
where B C Z",,^ and C C \ Eg^r with both B, C non-empty. We define a'g 

by cases: 




C there exists (s^,^) G Syncliu) with (sr-,^) ex {sg,B) = 0, 
B otherwise. 
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The idea behind the definition above is simple: if there is a possible local future 
for r that makes synchronization with q impossible (first case), then q's strategy 
can as well propose only communication with other processes than r - since 
such communication leads to winning as well. If not, q's strategy can offer only 
communication with r, since this choice will never block. 

We show now that a' is winning. Assume by contradiction that t; is a maximal 
a'-play, but not winning. It is then a cr-play, but not a maximal one. So there 
must be some a G jjcom g^^j-^ ii^g^i ya £ Plays{A, a). In particular, q's state 
after v is not final. Let u = viewq{v), Sg = stateq{u), and cTq{u) = B\J C with 
B C Sq^^ and C C rj"" \ Sq^^. We have two cases. 

Suppose cr^(?i) = C, so we are in the first case of the above above. Thus 
there exists {sr,A) S Sync'^iu) such that {sr,A) ixi (sq, = 0. By definition of 
Sync" we find x G such that u' = ux is a a-play and ar{vieWr{u')) = A. 

Since u = viewq{u'), we have aq{vieWq{u')) = B U C. This means that no 
communication between q and r is possible after u' . No local action of q is 
possible after u' since u = viewq{v), and we have assumed that w is a maximal 
cr'-play. Finally, by the choice of x, no local action of process r is possible from 
u'. To obtain a contradiction it suffices to show that u' can be extended to a 
maximal cr-play by adding a sequence of actions w of processes other than q and 
r. This will do as sf,ateq{u') is not accepting by assmuption, and we will get a 
maximal cr-play that is not winning. To find the desired w observe that v ^ uwy 
where w G {S\ {Sq U Sr))* and y e S* . So y represents the actions of r after 
the last action of q in v, and w represents the actions of other processes. Taking 
v' = uwx we observe that v' ~ u'w and that v' is a maximal cr-play. So we have 
found the desired w. 

The second case is when cr^(u) = B. This means that for all {sr,A) G 
Sync1{u), we have {sriA) ixi {sr,B) ^ 0. Since w is a maximal cr'-play, no local 
action of r is possible. This means that {sr^A) := {stater{v),ar{viewr{v))) G 
Sync'^{u). But then {sr,A) cxi {sq,B) ^ 0. Since crq{u) = B there is some pos- 
sible communication between q and r after v, so v is not maximal w.r.t. a'. 

□ 

The following definition associates with a strategy a and the leaf process r all 
the outcomes of local plays of r such that r is either waiting for a synchronization 
with q or is in a final (hence blocking) state. For an initial run « of ^ we denote 
by statep{u) the p-state reached by A on u. 

Definition 3. Given a strategy a and a a -play u, let Sync'^{u) C Sr x V{Sq^r) 
be the set: 

Sync'^iu) = {{sr^A) \ 3x G {S^°'^)* . ux is a a-play, 

stateriux) = Sr, Ur{vieWr{ux)) = A(Z Sq^r, and 
Sr final or A 7^ 0} . 

Observe that if a allows r to reach a final state Sr from u without communication, 
then {sr, 0) G Sync'^.{u). This is so, since final states are assumed to be blocking. 

For the game reduction we need to precalculate all possible sets Sync'^. These 
sets will be actually of the special form described below. 
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Definition 4. Let s,. be a state of r. We say that T C 5*.^ x V{Sqr) is an 
admissible plan in s,. if there is a play u with state^iu) — s,,, and a strategy a 
such that (i) T — Sync".{u), (ii) every a-play of r from s^ reaches a final state 
or a state where a proposes some communication action, and (Hi) one of the 
following holds: 

— A 7^ for every (tr, A) € T , or 

— tr Cz Fr and A = $ for every (tr, A) £ T. 

In the second case T is called a final plan. 

It is not diSicult to see that we can compute the set of all admissible plans. In 
the above definition we do not ask that a is winning in the global game, but just 
that it can locally bring r to one of the situations described by T. So verifying 
if T is an admisible plan simply amounts to solve a 2-players reachability game 
on process r against the (local) environment. 

Lemma [2] below allows to deduce that the sets Sync'^ are admissible plans 
whenever a is winning. For {s^, A),{sq,B) with Sq £ Sq,Sr £ Sr, A, B C Sq ^. 
let {sr^A) cx] {sq,B) -.^ {a £ AnB \ 6a{sq,Sr) is defined}. So {sr,A) cxi {sq,B) 
contains all actions belonging to both A and B, that are enabled in the state 

Lemma 2. If a is a winning strategy satisfying Lemma^ then for every a-play 
u in A we have: 

1. if there is some a-play uy with y £ [S \ Sr)* and stateq{uy) £ Fq then 
Sync"{u) is a final plan; 

2. if there is some a-play uy with y £ (U \ Ur)* , Sq = stateq{uy), aq{uy) = 
B Q Sqr, and _B 7^ then for every {tr,A) £ Sync'^{u) we have {sq,B) ixi 

(t.,^)^0. 

In particular, Sync"{u) is always an admissible plan. 

Proof. Take y as in the statement of the lemma and suppose stateq{uy) £ Fq. 
Take {tr, A) £ Sync'^{u). By definition this means that there is a; G (17^°^)* such 
that ux is a cr-play, statcriux) = tr, and ar{viewr{ux)) — A with A C Sq^r- 
Observe that uyx is also a cr-play. Hence tr should be final because after uyx 
process r can do at most communication with q, but this is impossible since q is 
in a final state. Since tr is final, it cannot propose an action, hence A = 0. This 
shows the first item of the lemma. 

For the second item of the lemma take y, Sq, B, and {tr, A) as in the assump- 
tion. Once again we get x £ such that ux is a cr-play, stater{ux) — tr, 
and ar{viewr{ux)) = A with A C Sq^r- Once again uyx is a cr-play. We have 
that Sq is not final since _B 7^ 0. As cr is winning, the play uyx can be extended 
by an action of q. But the only such action that is possible is a communication 
between q and r. Since A and B are the communication sets proposed by cr^ and 
aq, respectively, we must have {sq,B) txi {tr,A) 7^ 0. □ 

The new plant A' . We are now ready to define the reduced plant A' that is the 
result ofehminating process r. Let P' = P\{r}. We have = {{S'p}p^r' , s'^^^, {S'a}ae 
where the components will be defined below. 
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The states of process q in A' are of one of the following types: 

(Sg,r), {Sg,T,B}, 

where Sq G Sq, Sr € Sr, T C Sr ^ V{Sq^r) IS an admissible plan, B C Sq^r- The 
new initial state for q is {{sin)q, {sin)r)- 

For every p ^ q, we let S'p = Sp and Fp = Fp. The local winning condition 
for q becomes Fq — Fq x FrU {{sq,T) \ .s,, e Fq, and T is a final plan}. 

The set of actions X" is IJ\IJr, plus additional local g-actions that we intro- 
duce below. All transitions Sa with dom{a) n {q,r} = are as in A. Regarding 
q we have the following transitions: 

1. If not in a final state then process q chooses an admissible plan: 

whore T is an admissible plan in Sr, and {Sq, Sr) ^ Fq x F^. 

2. Local action of q: 

{Sq,T) ^ {s'q,T), a Sq^s'q in A. 

3. Synchronization between q and p ^ r: 

{{Sq,T),Sp) A {{s'q,T),s'p), if {Sq,Sp) A {s'q, s'^) . 

4. Synchronization between q and r. Process q declares the communication 
actions with r: 

{Sq,T)'^\sq,T,B), ifBCEq,r 

when Sq is not final, T is not a final plan, and for every {tr, A) gT we have 
(t„ A) c< (s„ B) ^ 0. 

Then the environment can choose the target state of r and a synchronization 
action a e Sq,r- 

{Sq, T, B) {S'q, if {Sq, U) ^ <) iu A 

for every {a,tr) such that {tr,A) e T for some A, and a G A (1 B. Notice 
that the complicated name of the action (a, tr) is needed to ensure that the 
transition is deterministic. 

To summarize the new actions of process q in plant A' are: 

- ch{T) G E^y^, for every admissible plan T, 

- ch{B) e S^y, for each B C Tg^^, 

- {a,tr) e for each a e Sq,r,tr € 5^. 
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The proof showing that this construction is correct provides a translation 
from winning strategies in A to winning strategies in A', and back. To this 
purpose we rely on a translation from plays in A to plays in A (finite or 
infinite) play u in ^ is a trace that will be convenient to view as a word of the 
form 

u = yoXoai ■ ■ ■ a^UiXi a^+i . . . 

where for i £ N we have that: a.^ e Sg j. is communication between q and r; 
Xi e is a sequence of local actions of r; and yi £ {S \ Sr)* is a sequence 

of actions of other processes than r. Note that Xi,yi are concurrent, for each i. 
We will write uja^ for the prefix of u ending in a^. Similarly u\y. for the prefix 
ending with yi; analogously for Xi. 

Fix a strategy a in A. With a word u as above we will associate the word 

X{u) = ch{To)yoch{Bo)iai,tl.) ■ ■ ■ (aj,t*) ch{Ti) yich{B^){ai+i,f+^) . . . 

where for every i = 0, 1, . . . : 

- T!, = Sync'^{u\a^) and Tq = Sync'^{e); 

- Bi = aq{viewg{u\y^)); 

- t\. = stater{u\xi) ■ 

We then construct a strategy that plays xl"") in instead of u in A. In Figure|3] 
we have pictorially represented which parts of u determine which parts of xi'^)- 



Vo 



yi 



ch{To) yo ch{Ba) {a^,tl) ch{Tt) t/i ch{Ai) (a2,t?) ch{T2) 



Fig. 3. Definition of x(u) 



The next lemma follows directly from the definition of the reduction from A 
to A'. 

Lemma 3. // u ends in a letter from Sq_r then we have the following 

— stateq{x{u)) — {stateq{u), stater{u)) . 

— statep{x{u)y) = statep(uy) for every p ^ q and y <E {S\ Eq_r)* ■ 

— state q{x{u) ch{T)y) = (state q{uy),T) for every y e {S\ ^,,r)*- 

— state q{xiu) ch{T)y ch{B)) = {state q{uy),T,B) for every y £ (S \ Uq ,.)* ■ 

From a in A to a' in A! . We are now ready to define a' from a winning strategy 
a. We assume that tr satisfies the property stated in Lemma[I] We will define a' 
only for certain plays and then show that this is sufficient. 

Consider u' such that u' = x(w) foi' some tr-play u ending in a letter from 
Sq^r- We have: 
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— If stateq{u') ^ Fq then aq{vieWy{u')) — {ch(T)} where T = Sync'^{u). 

— For every process p q we put a'p{view p{u' ch{T)y)) = ap{viewp{uy)) for 
y€{S\Sq,r)*. 

— For y G {S\ Sq^r)* and -B = a q{view q{uy)) we define 



a' {viewq{u' ch{T)y)) = 



B if B n ^5,,. = 

{ch{B)} if B C Z-q^^ 



— a'g{viewq{u' ch{T)y ch{B))) = 0. 

Observe that in the last case the strategy proposes no move as there are only 
moves of the environment from a position reached on a play of this form. 
The next lemma states the correctness of the construction. 

Lemma 4. If a is a winning strategy for A, (i^p)pep then & is a winning strategy 
forA',{F;)p^r,. 

Proof. We will show inductively that for every u'-play u' ending in a letter 
of the form (a', ij.) there is a cr-play u such that u' — xl"")- Then we will show 
that every maximal cr'-play is winning. 

We start with the induction step, later we will explain how to do the induction 
base. Let us take u' = x(^) as in the induction hypothesis. By Lemmajsjwe have 
stateq(u') = {state q{u), state r{u)) . 

Consider a possible, a'-compatible, extension of u' till the next letter (a, tr)- 
It is of the form u' ch{T)y ch{B){a,tr) where y £ {S\ Sr)* ■ We will show that 
it is of the form xi'^U^a) for some x £ and that uyxa is a cr-play. 

— By definition of the automaton A' and the strategy cr' we have cr'(u') = 
{ch{T)} with T = Sync'^{u). 

— Since cr' is the same as cr on actions from S\Ur, we get that uy is a cr-play. 

— Concerning ch{B), by the definition of a' we have that B = a q{view q{uy)) . 
Then by the definition of A' we get some A such that {tr^A) S T, and 
a G {tr,A) 1X1 [sq,B) with Sq ~ stateq{uy). As T — Sync'^{u) we can find 
X G {Sl!"^)* such that ux is a cr-play, stater{ux) = tr and ariux) = A. We 
get that uyxa is a cr-play with xiuyxa) = u' ch{T)y ch{B)(a, tr), and we are 
done. 

The induction base is exactly the same as the induction step taking u' and u to 
be the empty sequence. 

To finish the lemma we need to show that every maximal cr'-play is win- 
ning. For this we examine all possible situations where such a play can end. We 
consider plays u' and u as at the beginning of the lemma. 

If u' itself is maximal then stateq(u') is final because otherwise ch{T) would 
be possible. Hence, by Lemma|3]stoieg(u) and stater(u) are final. Since cr and cr' 
are the same on processes other than q and r, no action a with dom{a)r\{q, r} = 
is possible from u. It follows that m is a maximal cr-play. Since cr is winning, 
statep{u) is final for every process p. By Lemma [sj u' is winning too. 
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Suppose now that u' ch{T)y is maximal for some y (li {S\ Sr)* ■ By the same 
reasoning as above there is no cr-play extending uy by an action from S \ S^- 
We have two cases 

— If stateq{uy) is final then T is a final plan by Lemma[2[ So there is a; G (17'°'^)* 
such that statCriuyx) is final. Then uyx is a maximal cr-play. Since a is 
winning, after uyx all processes are in the final state. By Lemmajsj u' ch(T)y 
is winning too. 

— If stateq{uy) is not final then a{uy) C Eq j. ^ since a is assumed to satisfy 
Lemma [T] and communication with other processes than r is not possible. 
By Lemma [2] T cannot be final and action ch{B) for B ~ cr{uy) is possible 
according to cr'. A contradiction. 

A play of the form u' ch{T)y ch{B) cannot be maximal since some local ac- 
tions of the form (a^tr) are always possible. This covers all the cases and com- 
pletes the proof. □ 

From a' in A' to a in A. From a strategy cr' = (o'^p^v for A! we define a 
strategy cr = (crp)pgp for A. We assume that a' satisfies Lemma [l] We consider 
u ending in an action from i7g,r such that x(^) is a cr'-play. First, for every 
p ^ q,r and every y £ Er)* we set 

ap{viewp{uy)) = ap{viewp{x{u)y)). 

If stateq{x{u)) is not final then cr'(;((u)) = {ch{T)} for some admissible plan T 
in state state r{x{'>J'))- This means that T — Sync'^{u) for some strategy p. In this 
case: 

— for every x £ we set a-r{ux) = pr{ux); 

— for every y {S \ U,.)* we consider X = (j'^{view q{x{u) ch{T)y)) and set 



aq{viewq{uy)) 



B if X = {ch{B)} 
X otherwise 



Lemma 5. If a' is a winning strategy for A' , (^'p)pgp' then a is a winning strat- 
egy for A, (Fp)pgp. 

Proof. Suppose that u is cr-play ending in an action from Eq^r and such that 
x(m) is a cr'-play. We first show that for every extension of u to a a-play uyxa 
with y £ {U\ Sr)* 1 X G and a e -S'q.r, its image x{uyxa) is a cr'-play. 

Then we will show that every maximal cr-play is winning. 

Take uyxa. By Lemma stateq{x{'^)) is not final, so we have cr'(x(u)) = 
{ch{T)}. Then T — Sync'^yu) by the definition of a. Again directly from the 
definition we have that x(u) ch{T)y is a cr'-play. By definition of a we have then 
that x(^^) ch{T)y ch(B) is a cr'-play for B — a q{view q(uy)) . Finally, we need to 
see why {a,tr) with tr = stater{ux) is possible. Since T — Sync^{u) we get 
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that (tr, ariviewr{ux))) G T. Then a £ (7riviewr{ux)) D B, and in consequence 
x{u) ch(T)y ch{B){a, tr) is possible by Lemma |3] and the definition of A' . 

It remains to verify that every maximal cr-play is winning. Consider a max- 
imal cr-play uyx where u ends in an action from Sq^r, x £ {Ulf"^)*, and y G 
{S \ Sr)* (this includes the cases when x, or y are empty). We look at x('") and 
consider two situations: 

— If no ch{T) is possible from then stateq{x{u)) is final. This means that 
X is empty and stateq{u) and stater{u) are both final. It is then clear that 
x{'U')y is a maximal cr'-play. Since a' is winning, every process is in a final 
state. So uy is a winning play in A. 

— If x{'") ch{T) is a cr'-play for some T then again we have two cases: 

• If = statcriuyx) is final then (sr,0) G T by the definition of a. As T 
is an admissible plan, T is final. After x{u)y no action other than ch{B) 
is possible. But ch{B) is not possible either since T is final. Hence x(w)y 
is a maximal cr'-play. So all the states reached on xi^)y are final. By 
Lemma [3] we deduce the same for uyx, hence uyx is winning. 

• If Sr is not final then ariview r{uyx)) = A C S^ ,^ for A ^ (local actions 
of r are not possible, since uyx is maximal). Hence (sr,A) G T, and T 
is not final. This means that Sq — state q{x{u) ch{T)y) is not final. So it 
is possible to extend the cr'-play with an action of the form ch{B). But 
by the definition of A' we have {sq,B) ex: (s^, A) ^ 0. Hence uyx can be 
extended by a communication between q and r on a letter from B O A; 
a contradiction. 

□ 

Together, Lemmas [4] and [S] show Theorem [3j 

Theorem 3. Let r be the fixed leaf process with P' = P \ {r} and q its par- 
ent. Then the system has a winning strategy for A, {Fp)p^p iff it has one for 
A', (fp)peP'- All the components of A' are identical to those of A, apart that for 
the process q. The size of q in A' is 0{Mq2^^''^^''''^), where Mq and Mr are the 
sizes of processes q and r in A, respectively. 

Remark 1. Note that the bound on \A'\ is better than \A\ + 0{Mr2'^''''^^^"'^) 
obtained by simply counting all possible states in the description above. The 
reason is that we can restrict admissible plans to be (partial) functions from St, 
into 'P{Sr,i)- That is, we do not need to consider different sets of communication 
actions for the same state in S^. 

Let us reconsider the example from Figure [T] of a server with k clients. Ap- 
plying our reduction k times we reduce out all the clients and obtain the single 
process plant whose size is Ms2'^^'^^ \-Mk)c .^j^gj-g jg ^j^g gj^e of the server, 
Mi is the size of client i, and c is the maximal number of communication actions 
between a client and the server. 
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Theorem 4. The control problem for distributed alphabets with acyclic commu- 
nication graph is decidable. There is an algorithm for solving the problem (and 
computing a finite-state controller, if it exists) whose working time is bounded 
by a tower of exponentials of height equal to half of the diameter of the graph. 

Our reduction algorithm can be actually used to compute a (finite-state) 
distributed controller: 

Corollary 1. There is an algorithm which solves the control problem for dis- 
tributed alphabets whose communication graph is acyclic and if the answer is 
positive, the algorithm outputs a controller satisfying the following property: For 
every process p and every state s of the controller Ac, the set of actions allowed 
for process p in state s is the set of all uncontrollable local actions plus: 

— either a unique controllable local action, 

— or a set of controllable actions shared with a unique neighbour q of p. 
4 The lower bound 

We show in this section that in the simplest non-trivial case of acyclic commu- 
nication graphs, consisting of a line of three processes, the control problem is 
already ExPTiME-complete. In the general case the complexity of the control 
problem grows as a tower of exponentials function with respect to the size of the 
diameter of the communication graph. 

4.1 Height one 

Proposition 1. The control problem for the communication graph 1 2 3 

is FiXPTiME-complete. 

Proof. The EXPTIME upper bound follows from Theorem |3j as the height 
of the tree is 1. So the reduction is applied twice from process 2, first simulating 
process 1, then simulating process 3. Finally, a reachability game is solved on an 
exponential size arena. 

For the lower bound we simulate an alternating polynomial space Turing 
machine M on input w. We assume that M has a unique accepting, blocking 
configuration (say with blank tape, head leftmost). The goal now is to let pro- 
cesses 1,3 guess an accepting computation tree of M on w. The environment 
will be able to choose a branch in this tree and challenge each proposed config- 
uration. Process 2 will be used to validate tests initiated by the environment. If 
a test reveals an inconsistency, process 2 blocks and the environment wins. To 
summarize the idea of the construction: processes 1 and 3 generate sequences of 
configurations (encoded by local actions), separated by action $ and $, respec- 
tively, shared with process 2. Both start with the initial configuration of M on 
w. Transitions from existential states are chosen by the plant, and those from 
universal ones by the environment. At a given time, process 1 has generated 
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the same number of configurations is process 3, or process 3 is about generating 
one configuration more. In the first case, the environment can check that it is 
the same configuration; and in the second, it can check that it is the successor 
configuration. In this way, 1 and 3 need to generate the same branch of the run 

tree. 

A computation of M with space bound n is a sequence Co I- Ci h • • • h Cjv, 
where each configuration Cj is encoded as a word from r*{Q x r)r* of length 
n. Since M is alternating, its acceptance is expressed by the existence of a tree 
of accepting computations. 

Processes 1 starts by generating the initial configuration on w, followed by 
a synchronization symbol $ with process 2. After this, process 1 generates a 
sequence of configurations separated by $. When generating a configuration, 
process 1 remembers M's state q and the symbol A under the head. All transi- 
tions so far are controllable. After generating $ process 1 goes into a state where 
the outgoing transitions are labeled by M's transitions on [q, A) (if the config- 
uration was not blocking). These transitions are controllable if q is existential, 
and uncontrollable if q is universal. The transition chosen, either by the plant or 
the environment, is stored in the state up to the next synchronization symbol. 
Finally, if the current configuration is final then process 1 synchronizes with 2 
on S/T- (instead of $) and goes into an accepting state. 

The description is similar for process 3, with _r, Q, $, %p instead of Q, $, %p. 

$ 

Finally, process 2 has two main states, eq and succ, with transitions eq — suae 

and succ — > eq. From state eq it can go to an accepting state after reading %f 
followed by 



Co 



Ci 



C2 



{i,a) 



Co 



Ci 



C2 



Fig. 4. Environment chooses positions i,j in Cp,Cp with P = 2. System wins iff a = /? 
or i j. 

The environment can initiate 2 kinds of tests: equality and successor test. 
The equality test checks that Cp = Cp and the successor test checks that 
Cp h Cp+i. 

For the equality test, the environment can choose a position i within Cp 
and a position j in Cp. Formally, for each (controllable) outgoing transition 

s of process 1 with a G T U (Q x T) there is a transition s (4,, i, a) 
with (J,, a) uncontrollable. The target state (J,, z, a) records the tape position i 
(known from s) and the tape symbol a. In state (4,i,Q;) process 1 synchronizes 
with 2 on action {\.,i,a), and then stops (accepting). The same for process 3 
with uncontrollable actions and synchronization action 
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From state eq process 2 can perform a synchronization {\., j, j3) with process 
3 and then one with process 1 on any (J,,z,a), provided i ^ j or a — (3, and 
then accept. This is the case where the environment has chosen positions on 
both hnes 1 and 3 (see Figure |4|. If the environment has chosen a test transition 
in Cp but not in Cp (or vice-versa), process 2 will accept (and stop), too. The 
successor test is similar. 

The successor test is similar, it consists in choosing a position within Cp and 
one within Cp+i. The information checked by process 2 includes the symbols 

a, q;+ of Cp at positions i — 1, i, i + 1 resp., so process 1 goes on transition 
(\,, a) into a state of the form (i, a, q;_, a+). In state t process 2 can perform a 
synchronization on (\, i, a, a_. a+) with process 1, and then one with process 
3 on (\,, J, j3), provided i ^ j ov the symbols a_ , a, a+ are inconsistent with the 
new middle symbol j3 according to Af 's transition relation. 

The reader may notice that we need to guarantee that the universal tran- 
sitions chosen by the environment are the same, for processes 1 and 3. This 
can be enforced by communicating the transitions with actions $, $ to process 
2, who is in charge of checking. Moreover, note that the action alphabet above 
is not constant, in particular it depends on n. This can be fixed by replacing 
each action of type (J,, i, a) (or alike) by a sequence of synchronization actions 
where i is transmitted bitwise. By alternating the bits transmitted by 1 and 3, 
respectively, process 2 can still compare indices 

Note also that configurations Cp,Cp are generated in parallel, and so are 
Cp and Cp+i. This is crucial for the correctness. □ 

Lemma 6. The control problem defined in Proposition^has a winning strategy 
if and only if M accepts w. 

Proof. We assume that there is a winning strategy in the control game. Let 
us consider a maximal winning play without tests, where process 1 generates 
Co$Ci$ • • • CatSf and process 3 generates CqSCiS • • • Cn'$f- By construction, 
each of the Cp and Cq are configurations of length n, Cq = Cq is the initial 
configuration of M on w, and Cn = C m' is the accepting configuration. Suppose 
by contradiction that Cq,...,Cn is not a run of M. Assume first that Cp = Cp 
for all < p < P, but Cp_i 1/ Cp. In this case the environment could have 
chosen the first position i where C p does not correspond to a successor of Cp_i, 
and process 2 would have rejected after the synchronization (\, i, a, q;_, a+) 
followed by (\, «,/?), contradicting the fact that the strategy is winning. The 
second case is where Cp — Cp for all < p < F, but Cp ^ Cp. Then the 
environment could have chosen the first position i where Cp and Cp differ, 
and process 2 would have rejected after the synchronization (I, z,/?) followed by 
(4,, J, a) with a ^ /?, again a contradiction. This means that Co h Ci h • • • Cjv- 
Moreover, C^r = C^r is final since process 1 is in a final state (thus also N = N'). 

For the converse, we assume that M accepts w. Let the strategy of processes 
1 and 3 consist of generating an accepting run tree of M on w. For existential 
configurations, say that both 1 and 3 choose the first winning transition among 
all possibilities. Every maximal play without environment test corresponds to 
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an accepting run Cq \- Ci \- ■■■Cn, hence the play reaches a final state on 
every process. Every maximal play with test is of one of the following forms: (1) 
CqCq%% ■ ■ ■ Cp_iCp_i$$a;y, where x and y are prefixes of Cp and Cp, followed 
by 4,-actions, or (2) CqCq%% ■ ■ ■ C p-]%xy, where x is prefix of Cp_i and y a 
prefix of Cp, followed by \-actions. In both cases, the environment's challenge 
fails, since Cp = Cp and Cp_i h Cp. □ 



4.2 Lower bound: general case 

Our main objective now is to show how using a communication architecture of 
diameter / one can code a counter able to represent numbers of size Tower(2, 1) 
(with Tower{n,l) — 2'^°'"'=''("''~i) and Tower{n,l) — n). Then an easy adap- 
tation of the construction will allow to code computations of Turing machines 
with the same space bound as the capabilities of counters. 

We fix n and will be first interested to define n-counters. Let Ei = {ai,hi} 
for i = 1, . . . ,n. We will think of ttj as and bi as 1, mnemonically: is round 
and 1 is tall. Let ^ SiU be the alphabet extended with an end marker. 

A 1-counter is just a letter from Ei followed by #i. The value of ai is 0, and 
the one of bi is 1. Following this intuition we write (1 — c) to denote 6 if c = a 
and vice versa. 

An (/ + 1) -counter is a word 

XoUoXiUi---Xk-lUk_l#l+l (1) 

where k = Tower{2, 1) and for every i, letter Xi € Si^i and Ui is an Z-counter 
with value i. The value of the above {I + l)-counter is J2i=o k^^^^- 
marker will be convenient in the construction that follows. An iterated 

[l + l)-counter is a nonempty sequence of {I + l)-counters. 

For every I we will define a plant C' such that the winning strategy for the 
system in will need to produce an iterated /-counter. 

For I = 1 this is very easy, we have only one process in and all transitions 
are controllable. 

initial ^ ^ ^ ^ li final 

V y 

This automaton can repeatedly produce a 1-counter and eventually go to the 

accepting state. The letter on which it goes to accepting state will be not im- 
portant, so we put Ti. Recall that our acceptance condition is that all processes 
reach a final state from which no actions are possible. 

Suppose that we have already constructed C'. We want now to define C'+^, a 
plant producing an iterated (/-|-l)-counter, i.e., a sequence of ^counters with val- 
ues 0, 1, . . . , ( Tower{2, 1) — 1), 0, 1, — We assume that the communication graph 
of C' has the distinguished root process rj . Process r; is in charge of generating an 

iterated /-counter. From C' we will construct two plants 2?' and V , over disjoint 
sets of processes. The plant is obtained by adding a new root process vi+i 
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that communicates with n, similarly for the plant T) with root process rj+i. The 
plant C'+^ will be the composition of T)^ and T) with a new verifier process that 
we name Vi+i - The root process of the communication graph of C'+^ will be 
The schema of the construction is presented in Figure [Sj Process r-j+i, as well as 
rj+i, are in charge of generating an iterated (Z + l)-counter. That they behave 
indeed this way is guaranteed by a construction similar to the one of Propo- 
sition [l] with the help of the verifier Vi+i'. the environment gets a chance of 
challenging each Z-counter of the sequence of r;_|_i (and similarly for ri+i)- These 
challenges correspond to two types of tests, equality and successor. If there is 
an error in one of these sequences then the environment can place a challenge 
and win. Conversely, if there is no error no challenge of the environment can be 
successful; this means then that the sequences of Z-counters have correct values 
0,l,...,(Tower(2,/) - 1),0,1,.... 




Fig. 5. Architecture of the plant 



Construction ofDK The construction of the automaton of the new root is 
presented in Figure |6] 




Main loop 



Fig. 6. Automaton for process rj+i 



We start by modifying the automaton for process ri , given by C' . Actions of 
ri from Sf, that were previously local for ri, become shared actions with r;+i. 
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Process r;+i has new local actions Sf^i and an action shared with process 
Vi+i- The action $/ is executed after each Z-counter, that is, after each 

The automaton for r/+i has two main tasks: it "copies" the sequence of l- 
counters generated by r; (actually only the projection onto Si) and it interacts 
with Vi+i towards the verification of this sequence. This automaton is composed 
of three parts that synchronize with r; , forcing it to behave in some specific way. 
The first part called "zero" enforces that ri starts with an Z-counter with value 
(otherwise r/+i would block). When we read #; we know that the first /-counter 
has ended and the control is passed to the second, main part of r/+i. 

The main part of rj+i gives a possibility for the environment to enter into 
a test part. That is, after each transition on q £ Si (that is ai or bi) the 
environment chooses between action skip (that continues the main part) or a 
test action from {(4-, q), (Xj, c;)} that leads into the test part. The main part 
also outputs a local action when needed, i.e., whenever the last seen l- 

counter was maximal. (Technically it means that there has been no a; since the 
last #;.) The transition on gives a possibility to go to the accepting state. 

The test part of r;+i simply receives the Z'j-actions of r; and sends them to 
process Vi+i (cf. loop a;a° and &;6°). It does so until it receives #; signaling the 
end of the counter. Then it sends $; to process Vj+i to inform it that the counter 
has finished. After this r/_|_i enters in a state where it can do any controllable 
action. From this state at any moment it can enter the accepting state on a 
dummy letter Tj+i. 

Plant V . This one is constructed in almost the same way as VK Most impor- 
tantly all processes (and actions) in V are made disjoint from VK We will write 
a for the letter of 2?' corresponding to a in 2?'. 

The other difference between and is that in the latter every transition 
(\, c) is changed into (\, 1 — c) if since the last $; there have been only k. This 
is done to accommodate for the carry needed for the successor test. Recall that 
(1 — c) stands for a if c is 6 and vice versa. 

Process Vj+i. This process will have two main states eq and succ, the first one 
being initial. From eq there is a transition on $; to suae, and from succ there is a 
transition on $/ back to eq. Moreover from eq it is possible to go to the accepting 
state. 

Additionally, from eq there is a transition on (4,, c)" to the state {eq, c) for 
every c G Ei. Similar to the construction of Proposition [ij process Vi+i should 
accept if either the two bits from Si challenged by the environment are compat- 
ible with the test, or their positions are unequal. So, from state (eg, c) on letter 
(1, 1 — c)° there is a transition to a state called neqtest; on all other letters there 
is a transition to a looping state (see also Figure [?]). Similarly from succ, but 
now with (\, c) letters, and the order of reading from the components reversed. 

From state neqtest process V/+i verifies that the sequence of actions Sf 

initiated by rj+i has not the same length as the sequence over s'^ initiated by 

r;+i (up to the moment where and $; are executed). This is done simply 
by interleaving the two sequences of actions a°,6°, shared with n+i and n+I, 
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respectively. Notice that the symbols a°, &° by themselves are not important, one 
could as well replace them by a single symbol. If this is the case, then process 

V;+i gets to an accepting state, otherwise it rejects. In state loop process V;+i 
can perform any controllable action and then enter the accepting state. 

Putting together C'+^. The plant C'+^ is the composition of 2?', and the new 
process Vi+i. The actions of C'+^ are the ones of C', plus XLiX where X consists 
of: 

- C E^y^ with domain {n+i}, 

- E* C E^y with domain 

- skip e i:^"" and (i,c), (\,c) e E"""^" with domain {n+i} (c € Ei), 

- c°, (i,c)°, and (\,c)0, all in E'y^ with domain {r,+i, V/+i} (c e Z",). 

The set X is defined similarly, by replacing every action c by c, and ri,ri+i by 
n , r;+r in the domain of the action. 

First we show that the system can indeed win every control instance CK 
Moreover he can win and produce at the same time any iterated /-counter. 

Lemma 7. For every level I and every iterated l-counter c there is a win- 
ning strategy a in such that for every a-play the projection of this play on 
U=i,....( is c. 

Proof The proof is by induction on I. For / = 1 this is obvious since there 
are no environment moves and all possible behaviours leading to the accepting 
state are iterated 1-counters. 

Let us consider level I + 1. Recall that C'"*"""^ is constructed from C', C , and 
three new processes: rj+i, n+Tj Vi+i- Fix an iterated (/ + l)-counter c. Observe 
that the projection of c on the alphabet of Z-counters, namely Ui=i ... i ^T-> 
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an iterated Z-counter. By induction we have a winning strategy producing this 
counter in CK We play this winning strategy in the C' and C parts of C'+^. It 
remains to say what the new processes should do. 

Process r;+i should just produce c. By induction assumption we know that 
the letters this process reads from r; are the projection of c on the alphabet of the 
Z-counter; and it is so no matter if there are environment questions in or not. 
So process ri+i has to just fill in missing Si+i letters. If the environment asks 
no questions to r;+i then at the end of c, this process will do then T;+i 

and enter the accepting state. Analogously for rj+i. At the same time process 
V;+i will be at state eq and it can enter the accepting state, too, since it can 
count how many $; symbols he has received. 

Let us suppose now that the environment chooses a question action in r^+i 
or Let i be the index of an Z-co\intcr Ui within c at which the first question 
is asked. We will consider two cases: (i) the question is asked in n+i, (ii) the 
question is asked in ri+i but not in rj+i. 

If a question is asked in ri+i then the play has the following form: 

n+i: ...Ui-1 $1 u d 
Vi+i: I I I I 

n^: ...Ui^ $1 V e 

with u, V being prefixes of Wi; e being a question, and d a synchronization action 
of n+i with V;+i. So d can be a question or Observe that after reading 
$;$; process V(-)-i is in the state eq. It means that if the sequence ed is not 
{i,c){i, 1 — c) for some c G Si then V;+i enters state loop. Prom there it can 
calculate how many inputs from r;+i and ty+T it is going to receive. It receives 
them and then enters the accepting state. If ed is (4,, c)(4,, 1 — c) then Vi+i enters 
state neqtest. Since r;+i and fi+I output the same iterated counter it must be 
that the questions arc placed in different positions of the two counters. But then 
V;+i will receive from the two processes a different number of Si letters. Hence 
it will enter eventually into the accepting state also in this case. 

Process n+T after receiving a question moves to a test component where it 
transmits the remaining part of the /-counter to V;+i followed by Then it 
enters into the loop state of the test copy and can continue to generate c since it 
can do any transition in this state. As for process n+i, if d is a question, then it 
does the same thing as fl+T. If d is $; then r;+i can continue to produce c, and 
both Vi+i and f/+T can simulate their behaviour as if no question has occurred. 
If the environment asks a question to ri+i at some moment, it too will enter into 
accepting state and continue to produce c. 

If the first counter with a question is in r^+i but not in n+T then the play 
has the form: 
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n+i: 



■U^-l %i U d 



Vi+i: I I I I I 

fTTT: . . . uiTT $j Ui $1 V e 

where u is a prefix of u^, w a prefix of Ui+i, d is a question, and e a synchronization 
of ry+I with Vi+i. Observe that after reading $;$/ process Vj+i is in state succ. As 
before our first goal is to show that V/+i gets to an accepting state. If the sequence 
de is not (\, Ci)(\, 1 — q) then we reason as in the previous case. Otherwise 
Vi+i gets to state neqtest. As before we can deduce that the two questions are 
asked at different positions of the respective counters. Which means that V/+i 
will receive a different number of Ei letters from r;+i and ty+J so it will get to 
state loop. The rest of the argument is exactly the same as in the previous case. 

□ 

We will show that in order to win in C' the system has no other choice than 
to generate an iterated Z-counter. Before this we present a general useful lemma: 

Lemma 8. Consider a plant C consisting of two plants Ci and C2 over process 
set Pi and P2, respectively. We assume that there exist ri G Pi and r-i G P2 such 
that each action a in C is such that either dom{a) C Pi or dom{a) C P2, or 
dom{a) C {ri,r2}. Then every winning strategy in C gives a winning strategy in 
Ci. 

Proof. Just fix the behaviour of the environment in C2 and play the strategy 
in C. □ 
With this at hand we can now prove the main lemma. 

Lemma 9. If a is a winning strategy inC^^^ and x is a a-play with no question 
then the projection of x on IJj^i ;_|_i Sf is an iterated {I + l)-counter. 

Proof. By the construction of C'^^, if there is no question during a cr-play, 
then the play is uniquely determined by the strategy. We will show that this 
unique play is an iterated {I + l)-counter. 

By applying Lemma [s] twice we obtain from a a winning strategy in CK By 
induction assumption the projection of x on IJj^i ; Sf is an iterated Z-counter. 
Thus, between every two consecutive $j we have a letter from Si^i, followed by 
an /-counter and (as long as we stay in the main part). The same holds for 
the fi+T part. It remains to show that the sequence uq, ui, . . . of these Z-counters 
represents the values 0, 1, . . . modulo Tower{2, 1), and the same for the sequence 
tto , itl, . . . 

Assume that this is not the case and let i be the index where the first error 
occurs. We will construct a play winning for the environment. 

Let us first assume that the value of Ui is correct but the one of Ui is not. 
Let k be the first position where the error occurs in the Ui counter. After the 
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fc-th letter of Ui is transmitted to n+i the environment can execute action (J, 
, c) . Similarly, in process r;+i after the fc-th letter the environment can execute 
(4,, 1 — c). Notice that these two questions are concurrent and happen after the 
letters of the corresponding counters are generated. Process V;+i goes to neqtest 
since it receives (i,c), and {1, 1 — c). On the other levels the environment does 
not choose test actions. By induction, processes r; and rj will continue to generate 
iterated ^-counters, since there are no questions in C' and C. As the environment 
has chosen the same position k in both counters, process Vj+i will receive the 
same number of letters from r;+i and fi+T thus entering into a rejecting state. 
This contradicts the assumption that the strategy in was winning. 

The second case is where the value of Ui equals i (mod Tower{2, 1)), but the 
one of Ui^i is different from {i + 1) (mod Tower(2,l)). Let fc be the position 
of the first error. In this case the environment can execute actions (\,, c), and 
(\, c) or (\,, 1 — c), depending on whether or not there is some ai before position 
fc in Mi. As in the case above, these two questions are concurrent because process 
Vz+i first synchronizes with n+I and then with rj+i. The same argument as 
above shows that in this case we could find a play consistent with a and winning 
for the environment. □ 

Putting Lemmas [7] and [9] together we obtain: 

Proposition 2. For every I, the system has a winning strategy in C'. For every 
such winning strategy a, if we consider the unique a-play without questions then 
its projection on IJi=i ; ^'^ iterated l-counter. 



Theorem 5. Let I > Q. There is an acyclic architecture of diameter 2^ + 1 and 
with (2'+"^ — 3) processes such that the space complexity of the control problem 
for it is Q {Tow er{n^ I)) -complete. 

Proof. First observe that the plant C' has (2'+^ — 3) processes and diameter 
21 — 1. It is straightforward to make the Z-counter count till Tower(n, I) and not 
to Tower{2, 1) as we have done in the above construction. For this it is enough 
to make the l-counter count to n instead of just to 2. 

We will simulate space bounded Turing machines. Take a machine M and a 
word w of length n. We want to reduce the problem of deciding if w is accepted 
by M to the problem of deciding if the system has a winning strategy for a plant 
C(M, w) of size polynomial in the sizes of M and w. 

A Tower(n, I) size configuration can be encoded by an (l + l)-counter. In 
an iterated {I + l)-counter we can encode a sequence of such configurations. 
The plant C{M,w) is obtained by a rather straightforward modification of the 
construction of C'+^. Instead of ensuring that the value of the first counter is 0, 
it needs to ensure that it represents the initial configuration. Instead of ensuring 
that the two successive counters represent two successive numbers, it needs to 
ensure that they represent two successive configurations. Using Proposition[2j the 
problem of deciding if a Tower{n, Z)-space bounded Turing machine M accepts w 
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is polynomially reducible to the problem of deciding if the system has a winning 
strategy in the so obtained C{M, w). The size of C{M, w) is exponential in I and 
polynomial in M, w, n. The game can be constructed in the time proportional 
to its size. □ 



5 Conclusions 

Distributed synthesis is a difficult and at the same time promising problem, since 
distributed systems are intrinsically complex to construct. We have considered a 
simple, yet powerful model based on synchronization using shared memory - as 
used in multithreaded programs or by hardware primitives such as compare-and- 
swap. Under some restrictions we have shown that the resulting control problem 
is decidable. Since every process is allowed to interact with the environment, our 
tree architectures are quite rich and allow to model hierarchical situations, like 
server/clients. Such cases are undecidable in the setting of Pnueli and Rosner. 

Already Pnueli and Rosner in |17j strongly argue in favour of asynchronous 
distributed synthesis. The choice of transmitting additional information while 
synchronizing is a consequence of the model we have adopted. We think that it 
is interesting from a practical point of view. It is also interesting theoretically, 
since it allows to avoid simple (and unrealistic) reasons for undecidability. Our 
lower bound result is somehow surprising. Since we have full information sharing, 
all the complexity must be hidden in the uncertainty about other processes 
peforming in parallel. 

Important problems remain open, in particular the decidability without the 
acyclic restriction. A more immediate task is to consider non-blocking winning 
conditions and Biichi specifications. A further interesting research venue is syn- 
thesis of open, concurrent recursive programs, as considered e.g. in [1]. 
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